Data Governance, Personal Data Protection Bill, Criminal Law, IT Law, BAI

The Third Working Session of the Indian Bar Association Seminar on Personal Data Protection Bill, 2021 held on 3rd May 2022 in New Delhi and looked into the data governance and criminal law aspect of the draft data protection law. The session was chaired by Shri Shyam Divan – Senior Counsel and Vice President, BAI. He started the discussion by introducing all the speakers.

Rajeev Dutta:

Mr. Rajeev Dutta is Senior Counsel at the Supreme Court. He is also an arbitrator and mediator for multiple resolutions of national and international conflicts. He is the national representative for India on the mediation committee of the International Bar Association. Mr. Dutta noted that a lot of tinkering has been done with the bill which was drafted by the BN Srikrishna Committee, and this process of evolution will continue in the hands of the Joint Parliamentary Committee. He drew the panel’s attention to the question of how this bill will affect the operation of the courts. The contested bill could lead to a flood of litigation and that would mean that advocates need to be familiar with all aspects of the bill. Mr. Dutta believes that as litigants we have two articles of the constitution etched in our minds; section 21 and section 20(3). He scored unanimity Puttaswamy judgment as a starting point for this conversation and data privacy laws. The Supreme Court has said that the right to privacy can only be limited by state action, and this bill can be seen as a step in that direction. He stressed that this bill must ensure three things:

  1. State action must flow from a legislative mandate
  2. Such action must pursue a legitimate state interest and cannot be arbitrary
  3. The action must be proportionate to the cause both in its nature and extent, and must be the least intrusive of all alternative means.

The purpose of the PDP bill is to prevent privacy breach and classify data into personal, sensitive and critical data to ensure adequate protection for everyone. Mr. Dutta noted some merits of the bill; all offline and online personal data requires the individual’s explicit and informed consent before it can be analyzed or shared. In addition, Article 6 of the bill limits the collection of data only to the extent necessary for the purposes of the processing of such personal data. Section 7 details the content of the notice that must be given to data controllers to inform them of the specifics of the processing.

Uday Prakash Warunjikar

Mr. Uday Warunjikar is President of Consumer Courts Advocates Association, Maharashtra and Vice President of BAI. He started the discussion by giving the panel some examples of personal data breaches that have occurred across the country. Instances of identity theft via Aadhar details to commit fraud have been reported to highlight the need for data protection legislation. The need for specific legislation increases with a developing society. In the absence of the IT Act, offenses of 2000 of this nature would have to be classified as trespassing under the Indian Penal Code. Likewise, the current legal framework lacks appropriate legislation to deal with data breaches and privacy. Section 66E of the Computer Law punishes breaches of privacy on the Internet, and Section 43A punishes careless processing of personal data, however, these provisions are found to be insufficient and have specific legislation like the current bill is imperative. Mr. Warunjikar noted that “No law is perfect; it will continue to grow”. This pending bill will also have a huge impact on our neighboring states that do not yet have data protection legislation. It will become a reference which countries like Bangladesh, Cambodia, Sri Lanka, Fiji, Kuwait, etc. be inspired to draft their own laws on the matter.

He concluded his speech by noting a major flaw we have seen in recent cybercrimes, where the victim and the injury are proven, but the accused remains untraceable. Electronic evidence provisions should be read in accordance with recent technological developments to enable maximum justice in these cases.

Anita Gurumurthy:

Ms. Anita Gurumurthy is a founding member and executive director of ‘IT for change’. She leads research on economics, data, AI governance and the feminist aspect of digital justice. It is associated with many international organizations, including the United Nations Secretary-General’s 10-member Group in support of the Technology Facilitation Mechanism.

Ms. Gurumurthy’s discussion of the bill focused on public interest and social justice. The data governance approach in India is focused on utilizing the economic value of data. The inherent tension that exists in data laws is that they imply natural rights like the right to personality, but must also include provisions for using data as a resource. The question that arises is “How to govern something that belongs to everyone?”. Data on a single person has no value as such; it gains value when data about a group of individuals is linked with certain non-personal data to predict consumer habits and natural trends. She then analyzed the developments and issues that have been seen over the five years of GDPR implementation in the EU to highlight what the contested bill could improve. India needs to come up with a specific law that clarifies economic governance, like the EU Digital Markets Act. Comparing India’s PDP Bill with the EU’s GDPR, Ms. Gurumurthy made some observations. First, on informed consent: Article 35 gives the Union unlimited powers to waive consent requirements. This is not in line with the practices followed under the GDPR. Second, employers’ rights versus workers’ rights: the PDP bill authorizes the invasive use of non-personal employee data, such as that of food app delivery people; their locations and other intimate details. In the GDPR, the rights of workers are protected against those of employers. Article 88(1) of the GDPR applies the broader framework of labor rights enjoyed by workers. Third, she highlighted the risks associated with anonymized and pseudonymised data. Fourth, the need to protect group rights. The GDPR is centered on the individual and has failed in this aspect and therefore large group data is viable for exploitation by large companies.

Finally, the conversation around data collection is limited to the issue of data privacy. While privacy is a real concern, the long-term problem with data collection is that it kills the autonomy of society and its culture. The impact of large corporations creating products modeled to modify your needs based on your data will soon be that society will become the result of the products they use, rather than the individual qualities that each person possesses.

Vrinda Bhandari:

Ms. Vrinda Bhandari is a lawyer at the Supreme Court. She holds NLSIU rank, having pursued her Masters in Public Policy at the Blavatnik School of Government and BCL at Oxford University. Ms. Bhandari began her discussion by noting the majority opinion of Judge DY Chandrachud on the Puttaswamy judgment where the fundamental right to privacy was restored, “The creation of such a regime requires a careful and sensitive balance between individual interest and the legitimate concerns of the state.” The test of whether the current PDP bill is complete must be made against this statement. Whatever the details of the bill, it is important for India to pass a data protection bill and start the creative process of the law. The ever-expanding use of technology and surveillance calls for a law that can protect a citizen’s fundamental right in these aspects. There are a few big problems with the current PDP bill. First, The avoidance of surveillance reform: The BN Srikishna committee report had noted that there is no general law in India today that allows non-consensual access to personal data or the intersection personal communications. However, neither the PDP Bill of 2018 nor the PDP Bill of 2021 include any provision protecting citizens from non-consensual mass surveillance. The centralized monitoring system, NATGRID, has still not been reformed, even with the new bill. The lack of parliamentary/institutional support for intelligence agencies also remains unresolved. The preamble and the long title of the new bill 2021 have been modified and now read “to ensure the interest and security of the State“. Ms. Bhandari points out that a data protection law that came about as a result of the Puttaswamy the judgment should be aimed at protecting the privacy of individuals and should not be considered national interest/security legislation. Second, on the exemption clauses: considerable dilutions were made in the exemption clauses compared to what the BN Srikrishna committee had suggested in its report, which were attached to the ideas of legality, necessity and proportionality. Finally, the Data Protection Authority foreseen by the bill has been given many powers, and this should not be limited to a small team of six members. The requirement for an independent panel is of the utmost importance, and we must learn from what is done in other countries, such as the United Kingdom where there are open and free competitions to decide who can be part of of such a committee.

Read also data-protection-regulation-2016-198699

Read also